If someone steals an employee's password—through phishing, keylogger, or a data breach—they can immediately access your critical systems, steal customer data, or alter financial records without any second barrier. An Indian manufacturing company lost ₹12 lakhs when a single password breach let an attacker access their GST portal and accounting software, filing false returns before discovery. Without MFA, you also fail audits required by larger customers (like e-commerce platforms or government vendors), losing contracts worth lakhs monthly. Regulatory fines under DPDP Act can reach 5% of annual turnover for inadequate data protection measures.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You'll find that all employee logins use only passwords, with no second verification step anywhere. Even admin accounts and bank-linked systems accept just a password.
Initial
You'll see MFA is enabled on one or two critical systems (like email or banking), but most other important systems still use password-only access. Implementation is manual and inconsistent.
Developing
You'll find MFA is required on most critical systems (email, accounting, CRM, ERP), but some older or less-critical systems are still password-only. There's no written policy yet.
Defined
You'll see a documented MFA policy requiring MFA on all systems marked 'critical,' with OTP or app-based codes in use, and audit logs showing compliance. Some systems are still onboarded; gaps are documented.
Managed
You'll find MFA enforced across all critical systems with multiple authentication methods available, regular compliance checks in place, and documented exceptions with approval trails. Users receive training on MFA and security tokens are tracked.
Optimised
You'll see adaptive MFA that adjusts based on login risk, hardware security keys for high-privilege accounts, continuous monitoring of MFA failures, and quarterly reviews of effectiveness with user feedback incorporated. Incident response plans specifically address MFA bypass attempts.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Enable OTP-based MFA on your email system (Gmail/Microsoft) and primary banking portal immediately. Test with 2-3 staff members first. Document which systems now have MFA. | IT person or designated admin | 2-3 days |
| 1 → 2 | Identify all critical systems (ERP, accounting, CRM, payroll, customer database) and enable MFA on each. Set up Google Authenticator or Microsoft Authenticator apps as backup to SMS OTP. Create a simple checklist of which systems have MFA. | IT person with input from department heads | 1-2 weeks |
| 2 → 3 | Write a one-page MFA policy stating which systems require MFA and which authentication methods are acceptable. Get sign-off from leadership. Train all staff on how to set up and use MFA. Create audit log checks monthly. | IT person with manager approval | 2-3 weeks |
| 3 → 4 | Integrate MFA centrally through a directory service (Azure AD/Entra ID or Okta) so it covers multiple applications at once. Set up hardware security key option for admin accounts. Implement automated compliance reporting. Conduct quarterly MFA effectiveness reviews. | IT person or external consultant | 6-8 weeks |
| 4 → 5 | Implement risk-based adaptive MFA (e.g., extra verification triggered by unusual login location or time). Add hardware token management for critical roles. Analyze MFA failure patterns monthly and adjust policies. Include MFA in annual security incident simulations. | IT person with security consultant oversight | Ongoing quarterly reviews and updates |
Documents and records that prove your maturity level.
- List of all critical systems with MFA status (enabled/disabled) documented in a spreadsheet or system inventory
- Screenshots or logs showing MFA configuration for email, banking, ERP, and other key applications
- Written MFA policy or procedure document signed by management, specifying which systems require MFA and which methods are approved
- Training records or sign-off sheets showing employees were trained on how to set up and use MFA
- Monthly or quarterly MFA compliance audit report showing percentage of critical accounts with MFA active and any failed login attempts blocked by MFA
Prepare for these questions from customers or third-party reviewers.
- "Which of your systems are classified as 'critical'? For each one, show me evidence that MFA is enabled and test it with a sample login."
- "What happens if an employee loses their phone or can't receive SMS? Show me your backup authentication procedure and documented exceptions."
- "Can you provide a log of MFA failures or bypass attempts from the last 3 months? What action was taken on any suspicious activity?"
- "Do admin accounts and privileged users have MFA enabled? Show me the policy and a sample admin login with MFA verification."
- "How often do you review who has MFA enabled and on which systems? Show me your last compliance check or audit log."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Provides free MFA via authenticator app or SMS for email and many business applications | Google Authenticator (app), Microsoft Authenticator (app), Authy (app, supports SMS backup) | — |
| Central identity and access management supporting MFA across multiple apps without individual setup | Keycloak (self-hosted, technical setup required) | Microsoft Entra ID/Azure AD (₹500–2000/user/year), Okta (₹800–3000/user/year) |
| Adds MFA layer in front of your email, VPN, or web applications without modifying the app itself | OpenVPN with TOTP plugins (technical) | Duo Security (₹300–1500/user/year), Fortinet FortiAuthenticator (₹50,000–150,000 setup) |
| Physical security keys for admin and high-privilege account protection | YubiKey 5 (₹4,000–6,000 per key), Google Titan Security Key (₹6,000–8,000 per key) | |
| Monitors and alerts on suspicious login attempts and MFA failures | Native logs in Gmail, Microsoft 365, AWS (with learning curve) | Splunk (₹200,000+/year), Datadog (₹100,000+/year) |
- Enabling MFA but only on email—forgetting that accounting, CRM, banking, and ERP systems are just as critical and need it too.
- Relying only on SMS OTP without a backup method; if staff lose their phones or SMS service fails, no one can log in and business stops.
- Not documenting which systems have MFA or the policy, making it impossible to prove compliance during audits or customer security checks.
- Forcing MFA without training staff first, leading to complaints, workarounds (like writing down codes), and eventual disabling of the feature.
- Exempting admin and finance staff from MFA because they say it's 'inconvenient,' when these accounts are the most dangerous if compromised.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (obligations of data processors) and Schedule 2 (technical and organizational measures) |
| CERT-In 2022 | Direction 4 (multi-factor authentication) and Direction 5 (access control for critical systems) |
| ISO 27001:2022 | Annex A, Control 8.3.3 (password management) and Control 8.6.3 (access restriction to information) |
| NIST CSF 2.0 | Govern (GV) and Protect (PR) functions; specifically PR.AC-1 (access control policy) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →